Rewired
eBook - ePub

Rewired

Cybersecurity Governance

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Rewired

Cybersecurity Governance

About this book

Examines the governance challenges of cybersecurity through twelve, real-world case studies

Through twelve detailed case studies, this superb collection provides an overview of the ways in which government officials and corporate leaders across the globe are responding to the challenges of cybersecurity. Drawing perspectives from industry, government, and academia, the book incisively analyzes the actual issues, and provides a guide to the continually evolving cybersecurity ecosystem. It charts the role that corporations, policymakers, and technologists are playing in defining the contours of our digital world.

Rewired: Cybersecurity Governance places great emphasis on the interconnection of law, policy, and technology in cyberspace. It examines some of the competing organizational efforts and institutions that are attempting to secure cyberspace and considers the broader implications of the in-place and unfolding efforts—tracing how different notions of cybersecurity are deployed and built into stable routines and practices. Ultimately, the book explores the core tensions that sit at the center of cybersecurity efforts, highlighting the ways in which debates about cybersecurity are often inevitably about much more.

  • Introduces the legal and policy dimensions of cybersecurity
  • Collects contributions from an international collection of scholars and practitioners
  • Provides a detailed "map" of the emerging cybersecurity ecosystem, covering the role that corporations, policymakers, and technologists play
  • Uses accessible case studies to provide a non-technical description of key terms and technologies

Rewired: Cybersecurity Governance is an excellent guide for all policymakers, corporate leaders, academics, students, and IT professionals responding to and engaging with ongoing cybersecurity challenges.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Rewired by Ryan Ellis, Vivek Mohan, Ryan Ellis,Vivek Mohan in PDF and/or ePUB format, as well as other popular books in Politics & International Relations & Social Policy. We have over one million books available in our catalogue for you to explore.

1
Cybersecurity Information‐Sharing Governance Structures: An Ecosystem of Diversity, Trust, and Trade‐offs

Elaine Sedenberg1 and Jim Dempsey2
1 School of Information, University of California, Berkeley, CA, USA
2 Berkeley Center for Law & Technology, School of Law, University of California, Berkeley, CA, USA

1.1 Introduction

Policymakers and corporate representatives have frequently discussed cybersecurity information sharing as if it were a panacea. The phrase itself refers to many different activities and types of exchanges, but from about 2009 to the end of 2015, the cybersecurity policy debate in Washington, DC, was dominated by calls for greater information sharing. 1 Influenced in part by the post‐9/11 theme of “connecting the dots,” both policymakers and the private sector commonly accepted that improved cybersecurity depended on – and would flow inexorably from – expanded information sharing within the private sector and between the private sector and the federal government.2 This view seemed to rest upon the assumption that with more information, systems may be made more secure through prevention measures or rapid remediation. Policymakers, reluctant to regulate cybersecurity standards, viewed voluntary information sharing as a tangible coordination activity that could be incentivized through policy intervention and sometimes directly facilitated by federal government roles.3 The policy debate culminated with the 2015 passage of the Cybersecurity Information Sharing Act (CISA).4 The law sought to encourage information sharing by the private sector by alleviating concerns about liability for sharing otherwise legally restricted information. It also sought to improve sharing within the federal government and between the government and the private sector.
CISA was debated and adopted after several decades of efforts within law enforcement and national security agencies to coordinate and increase information sharing with and within the private sector. The US Secret Service (USSS) established the New York Electronic Crimes Task Force (ECTF) in 1995 to facilitate information exchanges among the private sector, local and national law enforcement, and academic researchers. In 2001, the USA PATRIOT Act mandated that the USSS create a nationwide network of ECTFs, which eventually consisted of over 39 regional hubs.5 In 1998, Presidential Decision Directive 63 (PDD‐63) authorized the Federal Bureau of Investigation (FBI) to create a National Infrastructure Protection Center (NIPC) as a focal point for gathering and disseminating threat information both within the government and with the private sector.6 PDD‐63 simultaneously directed the national coordinator for infrastructure protection to encourage the private sector to create an Information Sharing and Analysis Center (ISAC).7 The role of the private sector center was to collect and analyze private‐sector information to share with the government through the NIPC, but also to combine both private‐sector information and federal information and relay it back out to industry.8 Although PDD‐63 anticipated that there would be one national ISAC, various sectors ultimately formed their own ISACs focused on industry‐specific security needs.9
Over time, additional federal agencies also developed their own information‐sharing systems and procedures. For instance, US Computer Emergency Readiness Team (US‐CERT) – an organization that took over many of NIPC's functions after it was dissolved following a transfer to the Department of Homeland Security (DHS) – releases vulnerability information and facilitates response to particular incidents. Various other information exchanges and feeds – each with its own scope, access policies, and rules – were established across federal agencies charged with securing aspects of cyberspace. For example, in 2001 the FBI formally announced its “InfraGard” project, designed to expand direct contacts with private‐sector infrastructure owners and operators, as well as to share information about cyber intrusions, exploited vulnerabilities, and infrastructure threats.10
In addition to these piecemeal federal efforts to expand cyber information sharing, private‐sector information‐sharing arrangements also proliferated. Antivirus software companies agreed to share virus signatures with each other, essentially deciding to differentiate themselves on platform usability and support instead of competing for data.11 Additionally, security researchers and individual corporate professionals formed ad hoc arrangements around critical responses to major incidents such as the Conficker worm and the Zeus botnet – threats that required coordination of response as well as exchange of information.12
Consequently, even before CISA was enacted, an ecosystem of information exchanges, platforms, organizations, and ad hoc groups had arisen to respond to increasingly pervasive and complex security threats within all industries. Today, this ecosystem of information‐sharing networks is characterized by a high degree of diversity – the result of years of evolving policies and cooperative models, driven by both the federal government and private sector. Information‐sharing models and structures operate in different niches – working sometimes in silos, occasionally duplicating efforts, and sometimes complementing each other.13
CISA attempted to advance information sharing on four dimensions: within the private sector, within the federal government, from the private sector to the government, and from the government to the private sector. However, the legislation was enacted without first fully mapping the ecosystem that had developed in the preceding years. Little effort was made to identify what was working effectively and why, or to de‐conflict existing federal programs. Instead, the private sector repeatedly stated – and policymakers accepted – that concerns over legal liability (mainly arising, it was asserted, from privacy laws) were inhibiting information sharing. Therefore, one of CISA's major provisions was liability protection for private sector organizations as an incentive for more information sharing.
CISA's usefulness and impact on the information‐sharing ecosystem has yet to be demonstrated. On the contrary, our study suggests that the law did little to improve the state of information sharing. If anything, it only added more hurdles to federal efforts by mandating that the federal portal include unnecessary technical details (free‐field text entry) and cumbersome submission methods (e‐mail). The law lacked specificity on how federal efforts would work with each other and with already existing information‐sharing networks in the private sector. Focusing almost solely on the private sector's liability concerns, it failed to address other key factors associated with sharing, including trust management, incentives, reciprocation, and quality control. In sum, CISA was a policy intervention divorced from existing sharing mechanisms and lacking a nuanced view of important factors that could enable agile exchanges of actionable information.
This chapter focuses on cybersecurity information within the private sector and between the private sector and federal government (leaving to others the issue of sharing within the federal government itself). It examines how governance structures, roles, and associated policies within different cybersecurity information‐sharing organizations impact what information is shared (and with whom) and the usefulness of the information exchanged. This research is based on a qualitative analysis of 16 semi‐structured interviews with cybersecurity practitioners and experts. Using these interviews and other available information on cybersecurity sharing, we have created a taxonomy of governance structures that maps the ecosystem of information‐sharing organizations – each of which fills particular security needs and is enabled by different policy structures. This chapter discusses the implications of these policies and structures for values that directly impact sharing, particularly the trade‐off between trust and scalability. This research illustrates how different governance models may result in different degrees of success within the complex and changing cybersecurity ecosystem. Our findings point to lessons – mainly caut...

Table of contents

  1. Cover
  2. Table of Contents
  3. Notes on Contributors
  4. Acknowledgments
  5. Introduction
  6. 1 Cybersecurity Information‐Sharing Governance Structures
  7. 2 Cybersecurity Governance in the GCC
  8. 3 The United Kingdom's Emerging Internet of Things (IoT) Policy Landscape
  9. 4 Birds of a Feather
  10. 5 An Incident‐Based Conceptualization of Cybersecurity Governance*
  11. 6 Cyber Governance and the Financial Services Sector
  12. 7 The Regulation of Botnets
  13. 8 Governing Risk
  14. 9 Containing Conficker
  15. 10 Bug Bounty Programs
  16. 11 Rethinking Data, Geography, and Jurisdiction
  17. 12 Private Ordering Shaping Cybersecurity Policy
  18. Bibliography
  19. Index
  20. End User License Agreement